7.8
HIGH
CVE-2023-52637
Oracle Solaris CAN J1939 UAF Vulnerability
Description

In the Linux kernel, the following vulnerability has been resolved: can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER) Lock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...) modifies jsk->filters while receiving packets. Following trace was seen on affected system: ================================================================== BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] Read of size 4 at addr ffff888012144014 by task j1939/350 CPU: 0 PID: 350 Comm: j1939 Tainted: G W OE 6.5.0-rc5 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: print_report+0xd3/0x620 ? kasan_complete_mode_report_info+0x7d/0x200 ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] kasan_report+0xc2/0x100 ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] __asan_load4+0x84/0xb0 j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] j1939_sk_recv+0x20b/0x320 [can_j1939] ? __kasan_check_write+0x18/0x20 ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939] ? j1939_simple_recv+0x69/0x280 [can_j1939] ? j1939_ac_recv+0x5e/0x310 [can_j1939] j1939_can_recv+0x43f/0x580 [can_j1939] ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939] ? raw_rcv+0x42/0x3c0 [can_raw] ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939] can_rcv_filter+0x11f/0x350 [can] can_receive+0x12f/0x190 [can] ? __pfx_can_rcv+0x10/0x10 [can] can_rcv+0xdd/0x130 [can] ? __pfx_can_rcv+0x10/0x10 [can] __netif_receive_skb_one_core+0x13d/0x150 ? __pfx___netif_receive_skb_one_core+0x10/0x10 ? __kasan_check_write+0x18/0x20 ? _raw_spin_lock_irq+0x8c/0xe0 __netif_receive_skb+0x23/0xb0 process_backlog+0x107/0x260 __napi_poll+0x69/0x310 net_rx_action+0x2a1/0x580 ? __pfx_net_rx_action+0x10/0x10 ? __pfx__raw_spin_lock+0x10/0x10 ? handle_irq_event+0x7d/0xa0 __do_softirq+0xf3/0x3f8 do_softirq+0x53/0x80 </IRQ> <TASK> __local_bh_enable_ip+0x6e/0x70 netif_rx+0x16b/0x180 can_send+0x32b/0x520 [can] ? __pfx_can_send+0x10/0x10 [can] ? __check_object_size+0x299/0x410 raw_sendmsg+0x572/0x6d0 [can_raw] ? __pfx_raw_sendmsg+0x10/0x10 [can_raw] ? apparmor_socket_sendmsg+0x2f/0x40 ? __pfx_raw_sendmsg+0x10/0x10 [can_raw] sock_sendmsg+0xef/0x100 sock_write_iter+0x162/0x220 ? __pfx_sock_write_iter+0x10/0x10 ? __rtnl_unlock+0x47/0x80 ? security_file_permission+0x54/0x320 vfs_write+0x6ba/0x750 ? __pfx_vfs_write+0x10/0x10 ? __fget_light+0x1ca/0x1f0 ? __rcu_read_unlock+0x5b/0x280 ksys_write+0x143/0x170 ? __pfx_ksys_write+0x10/0x10 ? __kasan_check_read+0x15/0x20 ? fpregs_assert_state_consistent+0x62/0x70 __x64_sys_write+0x47/0x60 do_syscall_64+0x60/0x90 ? do_syscall_64+0x6d/0x90 ? irqentry_exit+0x3f/0x50 ? exc_page_fault+0x79/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Allocated by task 348: kasan_save_stack+0x2a/0x50 kasan_set_track+0x29/0x40 kasan_save_alloc_info+0x1f/0x30 __kasan_kmalloc+0xb5/0xc0 __kmalloc_node_track_caller+0x67/0x160 j1939_sk_setsockopt+0x284/0x450 [can_j1939] __sys_setsockopt+0x15c/0x2f0 __x64_sys_setsockopt+0x6b/0x80 do_syscall_64+0x60/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 349: kasan_save_stack+0x2a/0x50 kasan_set_track+0x29/0x40 kasan_save_free_info+0x2f/0x50 __kasan_slab_free+0x12e/0x1c0 __kmem_cache_free+0x1b9/0x380 kfree+0x7a/0x120 j1939_sk_setsockopt+0x3b2/0x450 [can_j1939] __sys_setsockopt+0x15c/0x2f0 __x64_sys_setsockopt+0x6b/0x80 do_syscall_64+0x60/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8

INFO

Published Date :

April 3, 2024, 3:15 p.m.

Last Modified :

Jan. 7, 2025, 5:22 p.m.

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Remotely Exploitable :

No

Impact Score :

5.9

Exploitability Score :

1.8
Affected Products

The following products are affected by CVE-2023-52637 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
1 Debian debian_linux
: Total Affected Vendor : 2 | Products : 2
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2023-52637.

URL Resource
https://git.kernel.org/stable/c/08de58abedf6e69396e1207e4f99ef8904b2b532 Patch
https://git.kernel.org/stable/c/41ccb5bcbf03f02d820bc6ea8390811859f558f8 Patch
https://git.kernel.org/stable/c/4dd684d4bb3cd5454e0bf6e2a1bdfbd5c9c872ed Patch
https://git.kernel.org/stable/c/978e50ef8c38dc71bd14d1b0143d554ff5d188ba Patch
https://git.kernel.org/stable/c/efe7cf828039aedb297c1f9920b638fffee6aabc Patch
https://git.kernel.org/stable/c/f84e7534457dcd7835be743517c35378bb4e7c50 Patch
https://git.kernel.org/stable/c/fc74b9cb789cae061bbca7b203a3842e059f6b5d Patch
https://git.kernel.org/stable/c/08de58abedf6e69396e1207e4f99ef8904b2b532 Patch
https://git.kernel.org/stable/c/41ccb5bcbf03f02d820bc6ea8390811859f558f8 Patch
https://git.kernel.org/stable/c/4dd684d4bb3cd5454e0bf6e2a1bdfbd5c9c872ed Patch
https://git.kernel.org/stable/c/978e50ef8c38dc71bd14d1b0143d554ff5d188ba Patch
https://git.kernel.org/stable/c/efe7cf828039aedb297c1f9920b638fffee6aabc Patch
https://git.kernel.org/stable/c/f84e7534457dcd7835be743517c35378bb4e7c50 Patch
https://git.kernel.org/stable/c/fc74b9cb789cae061bbca7b203a3842e059f6b5d Patch
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Mailing List

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2023-52637 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2023-52637 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Jan. 07, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    Added CWE NIST CWE-416
    Added CPE Configuration OR *cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.4 up to (excluding) 5.4.269 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.210 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.149 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.79 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.18 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.7.6 *cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*
    Changed Reference Type https://git.kernel.org/stable/c/08de58abedf6e69396e1207e4f99ef8904b2b532 No Types Assigned https://git.kernel.org/stable/c/08de58abedf6e69396e1207e4f99ef8904b2b532 Patch
    Changed Reference Type https://git.kernel.org/stable/c/08de58abedf6e69396e1207e4f99ef8904b2b532 No Types Assigned https://git.kernel.org/stable/c/08de58abedf6e69396e1207e4f99ef8904b2b532 Patch
    Changed Reference Type https://git.kernel.org/stable/c/41ccb5bcbf03f02d820bc6ea8390811859f558f8 No Types Assigned https://git.kernel.org/stable/c/41ccb5bcbf03f02d820bc6ea8390811859f558f8 Patch
    Changed Reference Type https://git.kernel.org/stable/c/41ccb5bcbf03f02d820bc6ea8390811859f558f8 No Types Assigned https://git.kernel.org/stable/c/41ccb5bcbf03f02d820bc6ea8390811859f558f8 Patch
    Changed Reference Type https://git.kernel.org/stable/c/4dd684d4bb3cd5454e0bf6e2a1bdfbd5c9c872ed No Types Assigned https://git.kernel.org/stable/c/4dd684d4bb3cd5454e0bf6e2a1bdfbd5c9c872ed Patch
    Changed Reference Type https://git.kernel.org/stable/c/4dd684d4bb3cd5454e0bf6e2a1bdfbd5c9c872ed No Types Assigned https://git.kernel.org/stable/c/4dd684d4bb3cd5454e0bf6e2a1bdfbd5c9c872ed Patch
    Changed Reference Type https://git.kernel.org/stable/c/978e50ef8c38dc71bd14d1b0143d554ff5d188ba No Types Assigned https://git.kernel.org/stable/c/978e50ef8c38dc71bd14d1b0143d554ff5d188ba Patch
    Changed Reference Type https://git.kernel.org/stable/c/978e50ef8c38dc71bd14d1b0143d554ff5d188ba No Types Assigned https://git.kernel.org/stable/c/978e50ef8c38dc71bd14d1b0143d554ff5d188ba Patch
    Changed Reference Type https://git.kernel.org/stable/c/efe7cf828039aedb297c1f9920b638fffee6aabc No Types Assigned https://git.kernel.org/stable/c/efe7cf828039aedb297c1f9920b638fffee6aabc Patch
    Changed Reference Type https://git.kernel.org/stable/c/efe7cf828039aedb297c1f9920b638fffee6aabc No Types Assigned https://git.kernel.org/stable/c/efe7cf828039aedb297c1f9920b638fffee6aabc Patch
    Changed Reference Type https://git.kernel.org/stable/c/f84e7534457dcd7835be743517c35378bb4e7c50 No Types Assigned https://git.kernel.org/stable/c/f84e7534457dcd7835be743517c35378bb4e7c50 Patch
    Changed Reference Type https://git.kernel.org/stable/c/f84e7534457dcd7835be743517c35378bb4e7c50 No Types Assigned https://git.kernel.org/stable/c/f84e7534457dcd7835be743517c35378bb4e7c50 Patch
    Changed Reference Type https://git.kernel.org/stable/c/fc74b9cb789cae061bbca7b203a3842e059f6b5d No Types Assigned https://git.kernel.org/stable/c/fc74b9cb789cae061bbca7b203a3842e059f6b5d Patch
    Changed Reference Type https://git.kernel.org/stable/c/fc74b9cb789cae061bbca7b203a3842e059f6b5d No Types Assigned https://git.kernel.org/stable/c/fc74b9cb789cae061bbca7b203a3842e059f6b5d Patch
    Changed Reference Type https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html No Types Assigned https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Mailing List
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference https://git.kernel.org/stable/c/08de58abedf6e69396e1207e4f99ef8904b2b532
    Added Reference https://git.kernel.org/stable/c/41ccb5bcbf03f02d820bc6ea8390811859f558f8
    Added Reference https://git.kernel.org/stable/c/4dd684d4bb3cd5454e0bf6e2a1bdfbd5c9c872ed
    Added Reference https://git.kernel.org/stable/c/978e50ef8c38dc71bd14d1b0143d554ff5d188ba
    Added Reference https://git.kernel.org/stable/c/efe7cf828039aedb297c1f9920b638fffee6aabc
    Added Reference https://git.kernel.org/stable/c/f84e7534457dcd7835be743517c35378bb4e7c50
    Added Reference https://git.kernel.org/stable/c/fc74b9cb789cae061bbca7b203a3842e059f6b5d
    Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Nov. 04, 2024

    Action Type Old Value New Value
    Removed Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 25, 2024

    Action Type Old Value New Value
    Added Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html [No types assigned]
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 29, 2024

    Action Type Old Value New Value
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Apr. 03, 2024

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER) Lock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...) modifies jsk->filters while receiving packets. Following trace was seen on affected system: ================================================================== BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] Read of size 4 at addr ffff888012144014 by task j1939/350 CPU: 0 PID: 350 Comm: j1939 Tainted: G W OE 6.5.0-rc5 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: print_report+0xd3/0x620 ? kasan_complete_mode_report_info+0x7d/0x200 ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] kasan_report+0xc2/0x100 ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] __asan_load4+0x84/0xb0 j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] j1939_sk_recv+0x20b/0x320 [can_j1939] ? __kasan_check_write+0x18/0x20 ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939] ? j1939_simple_recv+0x69/0x280 [can_j1939] ? j1939_ac_recv+0x5e/0x310 [can_j1939] j1939_can_recv+0x43f/0x580 [can_j1939] ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939] ? raw_rcv+0x42/0x3c0 [can_raw] ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939] can_rcv_filter+0x11f/0x350 [can] can_receive+0x12f/0x190 [can] ? __pfx_can_rcv+0x10/0x10 [can] can_rcv+0xdd/0x130 [can] ? __pfx_can_rcv+0x10/0x10 [can] __netif_receive_skb_one_core+0x13d/0x150 ? __pfx___netif_receive_skb_one_core+0x10/0x10 ? __kasan_check_write+0x18/0x20 ? _raw_spin_lock_irq+0x8c/0xe0 __netif_receive_skb+0x23/0xb0 process_backlog+0x107/0x260 __napi_poll+0x69/0x310 net_rx_action+0x2a1/0x580 ? __pfx_net_rx_action+0x10/0x10 ? __pfx__raw_spin_lock+0x10/0x10 ? handle_irq_event+0x7d/0xa0 __do_softirq+0xf3/0x3f8 do_softirq+0x53/0x80 </IRQ> <TASK> __local_bh_enable_ip+0x6e/0x70 netif_rx+0x16b/0x180 can_send+0x32b/0x520 [can] ? __pfx_can_send+0x10/0x10 [can] ? __check_object_size+0x299/0x410 raw_sendmsg+0x572/0x6d0 [can_raw] ? __pfx_raw_sendmsg+0x10/0x10 [can_raw] ? apparmor_socket_sendmsg+0x2f/0x40 ? __pfx_raw_sendmsg+0x10/0x10 [can_raw] sock_sendmsg+0xef/0x100 sock_write_iter+0x162/0x220 ? __pfx_sock_write_iter+0x10/0x10 ? __rtnl_unlock+0x47/0x80 ? security_file_permission+0x54/0x320 vfs_write+0x6ba/0x750 ? __pfx_vfs_write+0x10/0x10 ? __fget_light+0x1ca/0x1f0 ? __rcu_read_unlock+0x5b/0x280 ksys_write+0x143/0x170 ? __pfx_ksys_write+0x10/0x10 ? __kasan_check_read+0x15/0x20 ? fpregs_assert_state_consistent+0x62/0x70 __x64_sys_write+0x47/0x60 do_syscall_64+0x60/0x90 ? do_syscall_64+0x6d/0x90 ? irqentry_exit+0x3f/0x50 ? exc_page_fault+0x79/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Allocated by task 348: kasan_save_stack+0x2a/0x50 kasan_set_track+0x29/0x40 kasan_save_alloc_info+0x1f/0x30 __kasan_kmalloc+0xb5/0xc0 __kmalloc_node_track_caller+0x67/0x160 j1939_sk_setsockopt+0x284/0x450 [can_j1939] __sys_setsockopt+0x15c/0x2f0 __x64_sys_setsockopt+0x6b/0x80 do_syscall_64+0x60/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 349: kasan_save_stack+0x2a/0x50 kasan_set_track+0x29/0x40 kasan_save_free_info+0x2f/0x50 __kasan_slab_free+0x12e/0x1c0 __kmem_cache_free+0x1b9/0x380 kfree+0x7a/0x120 j1939_sk_setsockopt+0x3b2/0x450 [can_j1939] __sys_setsockopt+0x15c/0x2f0 __x64_sys_setsockopt+0x6b/0x80 do_syscall_64+0x60/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8
    Added Reference kernel.org https://git.kernel.org/stable/c/08de58abedf6e69396e1207e4f99ef8904b2b532 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/978e50ef8c38dc71bd14d1b0143d554ff5d188ba [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/41ccb5bcbf03f02d820bc6ea8390811859f558f8 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/4dd684d4bb3cd5454e0bf6e2a1bdfbd5c9c872ed [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/f84e7534457dcd7835be743517c35378bb4e7c50 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/fc74b9cb789cae061bbca7b203a3842e059f6b5d [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/efe7cf828039aedb297c1f9920b638fffee6aabc [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2023-52637 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2023-52637 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
: